-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth token scopes? #1057
Comments
How do you plan to manage the list of users? Right now you have a list of users that can login in and the groups for single-server shared among different users. |
This (or something like it) could limit the potential of a compromised single-user server. Since OAuth right now produces a token that gives access to do anything with the Hub on behalf of the visitor, I'm not okay with that being the case for 0.8. One simple way to implement this is to separate the OAuth access token into something dedicated for the "Only identify the user" rather than an API token. This can be hardcoded pretty simply by adding support for identification via access token into the However, if a service really does want to perform actions on behalf of the user, OAuth scopes would be the way to do it. |
With jupyterhub/oauthenticator@a5f05c2 in oauthenticator, we can actually implement some sort of required_scope logic, which verifies auth_state.scope returned from oauth idp. I currently use a subclass overriding
|
Now that we have oauthlib landed, we can start each scope may have up to three permission specifiers:
The main question remaining for me is how to manage access to servers. Right now, we use the Additional scopes that make sense, but I might prefer to save for a later iteration:
|
Re: #2436, could you elaborate on assigning scopes to URLs? Are we talking the individual API URLs? Security-wise, I think my initial goal would be a way to construct an "elevated" account that exists between a weakly-trusted user and an administrator. It grants access to basic user servers (including other elevated users(?)), but no access to admin servers and no ability to modify user data (create/delete/admin). I don't quite see a way to construct that out of the proposed scopes. Server access could be hacked together with write access to all-servers granting only non-admin server access. Admin flag configuration could be moved to admin on Under this method, an "elevated" user could look somewhat like RW for |
@minrk can you talk a bit more about how you see this interplaying with oauth scopes. I have been thinking that JupyterHub as an oauth provider would declare a standard set of oauth scopes that could be requested in the oauth token flow. These scopes could then be used to control authorization to the different entities running in JupyterHub (admin panel, single user servers (and individual services running within them), other jhub services). This would require making the single user server aware of these scopes/tokens and use them in determining if a given request is authorized. This would allow fine grained access to the different services of the single user servers (for example, rw access to notebooks, but no code running). |
@minrk @jupyterhub/binder-team FYI related issue from JupyterLab dashboarding |
I mean go through the endpoints in the rest api and make sure that each API endpoint has an associated scope (this doesn't mean each one needs to be distinct, just that the coverage should be complete). For example
I think this is where users can be granted limited access to scopes. E.g. right now, we only have two classes of user: admin (access to everything, with the possible exception of user servers), and regular (no administrative privileges). Scopes will allow us to define a user's permission level, e.g. granting individuals read access to the user list, for instance. So scopes are applied at both the individual token and the user level (tokens for a given user are limited to a subset of the user's permissions).
I'm not quite sure I know what |
@minrk thanks for the reply. Reading your previous comments, I don't know how I was unclear that you were talking about OAuth scopes. But that is pretty clear now ;-) I like the idea of r/w scopes being directly related to the HTTP verbs that users is allowed to use. One of the things that is emerging in conversations with Zach is that the idea of permissions, while related, is possibly a different things than OAuth scopes. Some examples:
|
Here is the GitHub does on their OAuth scopes: https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/ From my reading, per repo permissions are a separate question than their scopes. |
Ah, I don't believe that JupyterHub should be involved in HubShare per-file permissions. That should be entirely under the control of HubShare. The only scope that's JupyterHub related ought to be whether the given token is allowed to talk to the HubShare service or not. I believe the same goes for access to kernels. That doesn't seem like it should be in-scope for JupyterHub authentication. That seems to be something that should be wholly under the control of a customized user environment. I agree that per-server permissions are probably going to need to be handled specially, though scopes seem like they might be a good fit. Otherwise, there will be no way to grant a token access to a server, a token will always and only be able to access all servers a user has permission to access (the current state). |
Hi, @minrk and I have compiled a draft list of JupyterHub oauth scopes: https://hackmd.io/@4G1An0geTrulPAvy23CzEQ/juptyerhub-scopes Any comments/suggestions are welcome |
Hi any news with this issue ? |
Since we have OAuth set up, we may consider the notion of scopes. However, I realize this does't really have anything to do with OAuth, but rather adding the notion of scopes to our existing API tokens.
This could change how services / servers ask the Hub if a given user should have access. Instead of asking "who is this?" and checking against a local set of permitted users, the service could ask the Hub "should I allow this user?", enabling the Hub to manage the list of users with access to each.
The text was updated successfully, but these errors were encountered: